-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martijn Pieters wrote:
> On 5/16/06, Cliff Ford <[EMAIL PROTECTED]> wrote:
>
>> So I still wonder if anyone who is ising the REMOTE_USER environment
>> variable is aware of a problem and has a solution.
>
>
> Environment-related variables should not
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martijn Pieters wrote:
> On 5/16/06, Cliff Ford <[EMAIL PROTECTED]> wrote:
>
>> So I still wonder if anyone who is ising the REMOTE_USER environment
>> variable is aware of a problem and has a solution.
>
>
> Environment-related variables should not
On 5/16/06, Cliff Ford <[EMAIL PROTECTED]> wrote:
So I still wonder if anyone who is ising the REMOTE_USER environment
variable is aware of a problem and has a solution.
Environment-related variables should not be "hackable" from restricted
code. Please file a report in de Zope Collector:
htt
I have done some more testing, and despite being told that
request.environ['REMOTE_USER'] is not hackable I have hacked it and can
use the hack to get at otherwise forbidden content. For testing I have
set REMOTE_USER in the zope.conf cgi-environment variable, so I can
quickly change from being
Hmmm, it was request.environ['REMOTE_USER'] that I found a way to hack.
However, your comment has caused me to realise that when not logged in,
Apache is not setting the REMOTE_USER environment variable, so a script
can set it (in environ). So if I get the Apache boss to set REMOTE_USER
to None
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cliff Ford wrote:
> My people want to adopt a single sign-on system for web applications
> that is based on the REMOTE_USER environment variable. I have tried out
> RemoteUserFolder and also adapted exUserFolder to work similarly.
>
> My problem is th